Nmap Development mailing list archives
Re: Wireshark dissections of proposed UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Wed, 19 Aug 2009 11:52:36 -0600
On Mon, Aug 10, 2009 at 02:53:40PM -0600, David Fifield wrote:
On Wed, Jul 22, 2009 at 11:55:42AM -0600, David Fifield wrote:On Sat, Jul 04, 2009 at 11:59:23AM +0200, kx wrote:This sounds like a really good idea! Out of curiosity, have you played with any of Unicornscan's UDP payloads? http://osace.svn.sourceforge.net/viewvc/osace/trunk/etc/payloads.conf?view=markup This is one of the reasons Unicornscan started as udpscan in 2004. In their faq they recognize another udp scanner: http://www.geocities.com/fryxar/scanudp.c This perl script also has a lot of nice UDP payloads, including some from nmap: https://labs.portcullis.co.uk/application/udp-proto-scanner/ Inside the tgz: udp-proto-scanner.confHere's a summary of payloads we might want to incorporate. Of this list, I think the most likely candidates are 111/rpcbind, 177/xdmcp, 500/isakmp, 520/route, 1645/radius, 1812/radius, 2049/nfs, 5353/zeroconf, 5632/pcanywherestat. Those are the ones in the top 100 UDP ports, anyway. I would appreciate if some experts could examine those payloads and comment on their safety.
I have added payloads for all of these protocols, except pcanywherestat, after researching them for safety. They were all taken from either nmap-service-probes or from one of the scanners kx listed, though in some cases I modified the payloads to make them shorter or less arbitrary. For example, the RADIUS probe in scanudp.c arbitrarily used a username and password of "a"; our probe contains no authentication at all and is used only to get back an error response. In addition to the probes above, I added one for amanda/10080, adapted from Unicornscan. Of the potential payloads I listed in http://seclists.org/nmap-dev/2009/q3/0290.html, there are two more that are in the top 1,000 UDP ports: 5555/rplay and 5632/pcanywherestat. rplay is a sound protocol. Here is Unicornscan's payload: /* rplay ping, needs work */ udp 5555 -1 1 { "\x1e\x11\x00\x00" }; The two Unicornscan payloads for pcanywherestat are udp 5632 -1 1 { "NQ" }; udp 5632 -1 1 { "ST" }; I'm not averse to adding these, but I don't know what they do and I don't have a way of testing them. If someone can find out what they do, let me know. UDP payloads are cool; they turn this output All 1000 scanned ports are open|filtered because of 1000 no-responses into this: Not shown: 998 open|filtered ports Reason: 998 no-responses PORT STATE SERVICE REASON 123/udp open ntp udp-response 5353/udp open zeroconf udp-response If you have a new payload to offer, please send it in, preferably along with documentation on what it does, what kind of response is expected, and the command that generated it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Tom Sellers (Jul 03)
- Re: UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Luis M. (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads kx (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads David Fifield (Jul 22)
- Wireshark dissections of proposed UDP payloads David Fifield (Aug 10)
- Re: Wireshark dissections of proposed UDP payloads David Fifield (Aug 19)
- Re: Wireshark dissections of proposed UDP payloads Henri Salo (Aug 19)
- Re: UDP payloads Tom Sellers (Jul 03)